5 Answers
5

You are right that SPV as described in the Bitcoin paper does not explain how to discover payments to yourself, without downloading full blocks. My guess is that Satoshi either planned to develop this later, or that he assumed you'd just be told about payments to yourself (pay-to-IP, as existed next to pay-to-pubkeyhash as is used now).

Practical implementations of SPV nodes today however use a protocol extension called bloom filters, described in BIP 37. They use getheaders to fetch block information prior to their wallet's birth timestamp, and request filtered blocks afterwards. To do so, they submit a bloom filter that describes the addresses and transactions they are interested in to the peer. The peer then only includes the relevant transactions in blocks it submits, together with their Merkle paths to prove that these transactions were indeed part of said block.

/**
* The "getheaders" command is structurally identical to "getblocks", but has different meaning. On receiving this
* message a Bitcoin node returns matching blocks up to the limit, but without the bodies. It is useful as an
* optimization: when your wallet does not contain any keys created before a particular time, you don't have to download
* the bodies for those blocks because you know there are no relevant transactions.
*/

I downvoted. Verifying transaction is exactly the thing SPV does not do: it only verifies the block chain, not the transactions in it.
– Pieter WuilleJun 19 '13 at 9:36

SPV clients can calculate balances and can list transactions to certain addresses by requesting filtered blocks. SPV clients also verify transaction validity by verifying the signatures; what SPV does not verify is inclusion of outputs in the utxo, so double spending is possible.
– dionyzizJan 25 '16 at 0:02

@dionyziz SPV clients cannot verify signatures, as they don't have the UTXO entries to know what to verify against.
– Pieter WuilleSep 5 '16 at 17:17